Merge pull request #1635 from sharelatex/as-fix-broken-chat-mathjax

Fix broken messages in chat due to mathjax XSS filtering GitOrigin-RevId: 8d5eb1f4df6496cafabff4669e5e59633c160647
2025-01-24 08:30:44 +00:00 · 2019-03-18 11:59:46 +00:00 · 2019-03-18 11:59:46 +00:00 · e6e3c023ed
commit e6e3c023ed
parent 41f75b5936
2 changed files with 10 additions and 5 deletions
--- a/services/web/app/views/project/editor/chat.pug
+++ b/services/web/app/views/project/editor/chat.pug
@ -41,6 +41,7 @@ aside.chat(
 							.message-content
 								p(
 									mathjax,
+									mathjax-allow-html="true",
 									ng-repeat="content in message.contents track by $index"
 								)
 									span(ng-bind-html="content | linky:'_blank':{rel: 'noreferrer noopener'}")
--- a/services/web/public/src/directives/mathjax.js
+++ b/services/web/public/src/directives/mathjax.js
@ -1,15 +1,19 @@
 /* global MathJax, _ */

 define(['base'], function(App) {
-  return App.directive('mathjax', function($compile) {
+  return App.directive('mathjax', function($compile, $parse) {
    return {
      link(scope, element, attrs) {
        if (!(MathJax && MathJax.Hub)) return

-        const mathJaxContents = element.html()
-        const nonBindableEl = $compile('<span ng-non-bindable></span>')({})
-        element.html('').append(nonBindableEl)
-        nonBindableEl.html(mathJaxContents)
+        // Allowing HTML can be unsafe unless using something like
+        // `ng-bind-html` because of potential Angular XSS via {{/}}
+        if (!$parse(attrs.mathjaxAllowHtml)(scope)) {
+          const mathJaxContents = element.html()
+          const nonBindableEl = $compile('<span ng-non-bindable></span>')({})
+          element.html('').append(nonBindableEl)
+          nonBindableEl.html(mathJaxContents)
+        }

        if (attrs.delimiter !== 'no-single-dollar') {
          const inlineMathConfig =